Hi Tom,

Some tome ago I was fiddling with pfSense to make it my gateway. I abandoned this idea because there was a couple of key issues for me:

- BSD needs a device for each IPIP tunnel, this gets the things much more harder to setup;

- PfSense does not have the protocols used enabled by default, needing manual edit of the web interface after each update. You have to do it by yourself every time;

- Linux has ready made scripts to get the job done. These scripts were made by good hams here and tested by several other people. It is easier to create a small virtual machine and put a 256MB RAM Devuan working than creating a gateway using BSD.

- PfSense team is minded to get the commercial way of pfSense as a product, so do not expect any support to get the things working. Their support forum is getting more unconcerned every day.

If you are still inclined to use some type of BSD firewall as an AMPRNet gateway, I suggest using OPNSense to start. It was a project forked from pfSense, but today have only 10% of original code and have open source as priority yet. Their forum is much more friendly and responsive.

OPNSense has all protocols listed in the web interface, so passing IPIP traffic back and forth is more intuitive (I still would not use it as a gateway anyway).

Hope this helps,

73 de PT2LDR

Luzemario

www.luzehost.com.br

Em 06-01-2018 18:00, 44net-request@mailman.ampr.org escreveu:

Greetings, I was working with Dan Cooper last spring to turn my pfSense box into an ampr gateway. At the time I was trying to learn how IPIP worked AND how BSD (pfSense) worked.  I'm pretty well versed in linux... BSD... not so much.

At the time I moved to Linux and Lynwood helped me get my head around how the IPIP tunneling works. After seeing the volume of traffic that tries to crack into my residential ISP connection (even though it fails) I've decided to put my ampr gateway into a DMZ. I'm currently in the process of moving my AMPR gateway into a pfSense DMZ.

I work in a loosely security related position at work and I'm doing this as a security measure to knock down some of the noise my Linux gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia, China and other places that I didn't research.  My new AMPR gateway will still be on Linux, actually Raspbian on a Raspberry Pi, but the only traffic it'll ever see is encapsulated traffic and traffic from my network because all of the other noise will be filtered by the pfSense box and won't exist in my DMZ.

Out of the box the pfSense user interface doesn't have support for ipencap or AX25.  I did a little bit of research (google) and found an older post on the pfsense forum about which files to edit to add ipencap and ax25 to the UI.  Also, I just asked on the pfSense subreddit to see if there are any other places within the pfSense UI to edit which protocols are available for use.

Is anyone else using this method to NAT forward IPIP traffic to an internal gateway (in my case using pfSense). I'm looking to find out if I've missed anything with the port forwarding before I move forward. I know Brian (N1URO) was working with IPIP tunneling behind a NAT and I think (THINK) this might work.

So... here's what I've done.

pfSense version is 2.4.2p1. File edits follow...

In file: /usr/local/www/firewall_nat_edit.php

On line 708, change: $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";

To: $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP AX25";

In file: /usr/local/www/firewall_nat_out_edit.php

On line 510, change: $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";

To: $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync IPENCAP AX25";

In file: /usr/local/www/firewall_rules_edit.php

Insert as line 1315 and 1316:         'ipencap' => 'IPENCAP',         'ax25' => 'AX25',

-- Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP